1. Field of the Invention
The present invention relates to computer access security and particularly to security systems for enabling client access to server resources. In particular, it relates to the use of security credential transformation to enable access to multiple separately authenticated resources with a single authentication. More particularly, the present invention relates to access control management in a middle tier server supporting client access to enterprise resources using id mapping on credential transformation.
2. Background and Related Art
Internet technology enables users at client workstations to access data from multiple applications through a single, standard interface. A web browser enables the user to access data that has been published for access on the web. Data access is provided by and controlled by a web server. Such a server receives and responds to requests from a web client. Web servers are a class of "middle tier servers" in the increasingly common three tier internet architecture. The first tier is the client browser while the third tier is made up of a number of enterprise resource servers such as an IBM DB2 database server, or an IBM CICS transaction server. These third tier servers are often legacy computer systems that store critical corporate or enterprise data.
Secure access to enterprise resource data is essential because of the critical nature of that data. Each of the enterprise resources typically maintains its own security mechanism. The web server itself also will have a security mechanism to control access to its data and for use in creating secure communications links between the client and web server. Proliferation of access controls creates problems for the system user because he or she must remember a large number of user-id and password combinations. The appropriate id and password must be entered in order to access a particular enterprise resource frequently leading to user frustration or access failure if the wrong combination is entered.
The basic prior art approach to separate resource validation involves the web server passing authentication requests from the enterprise resource to the client. The client user must then enter the appropriate user id and password to be given access to the enterprise resource. The id and password entered are passed to the enterprise resource by the web server. This approach has the problem of requiring the user to maintain multiple ids and passwords and be prepared to supply the appropriate combination when requested. It also suffers from the stateless nature of the web server. The web server acts on each client request independently. It does not store information about the client and, in particular, does not store the userid and password used to access the enterprise resource. Each request to an enterprise resource from the web server is an independent transaction that must be authenticated. Prior art systems solve this problem by retaining the userid/password at the client during the current session to be supplied transparently back to the enterprise resource when requested. This has the disadvantage of increasing server to client network traffic. Each server to enterprise resource request generates an additional authentication request back to the client with a return response. This has the further disadvantage of increasing the opportunity for the user id and password to be compromised since they are sent across the network often.
A second prior art approach to solving the problem of controlling web server access to enterprise resources is to provide the web server itself with authorization to access the enterprise resources. This is illustrated in FIG. 2. Web browser 202 authenticates itself with web server 204 creating a session with the server. The session may be an unsecure authorized link or it may be a secure session employing a secure link based on encrypted messages according the secure socket layer (SSL) or secure hypertext transform protocol (SHTTP) protocols. Once the session is established, the client is permitted to access enterprise resources 206, 208, 210 with the web server authenticating itself with the enterprise resource (enterprise identifier or eid=MTS.)
The web server authentication approach has the disadvantage of applying a uniform security approach to all clients. Client web access may be limited to specific server applications. However, any client authorized for a particular application may access all data which that application may access based on the server identifier. This is often inconsistent with the security requirements of the enterprise resource which may control access based on the role or individual identity of the user.
A variation of the above prior art approach is to use the userid/password combination required to access the web server as the authentication pair to access the enterprise resource. This has the advantage over the previous approach of supporting individual user authorizations, but has the disadvantage of requiring uniformity of userid/password for a number of enterprise resources. Legacy applications, in particular, may not support a particular userid/password format and it may be impossible to find a common format. Use of a single userid/password combination for multiple system accesses also poses a security risk if the single set is compromised.
Various commercial products have been introduced in an attempt to solve this problem. IntraVerse NetSEAL (TM) from Dascom provides enhanced security between the client and web server or network server. It does not enhance enterprise resource authorization. WebCrusader(tm) from Gradient Technologies, Inc. provides an id mapping service that supports mapping of a web server client id to an id required for enterprise resource access. WebCrusader does not perform credential mapping, i.e. finding the appropriate credentials for a resource based on client identifier. The DCE/Snare(tm) product from IntelliSoft Corp. provides a generalized security framework for TCP/IP access to legacy applications. DCE/Snare supports authentication of client access requests and then passing ("tunneling") those requests directly to the appropriate legacy server. The product supports calling out to programs on the server for mapping the client authorization to the server authentication model. Each of these programs must be specifically developed for and reside on the referenced server. DCE/Snare provides a single default credential transformation for the telnet protocol, however, DCE/Snare requires that the user have the same telnet password on all servers.
The technical problem therefore exists of providing secure access to enterprise resources from a middle tier server that minimizes authentication demands to the client user while providing effective control over enterprise resources. In addition, the problem exists of enabling a client user to access a number of resources using a single authentication without compromising the security of the enterprise resources. Finally, the problem exists of creating a mechanism to allow a middle tier server to control authentication to enterprise resources to support client requests to which the server must respond based on enterprise resources.